Black Hat 2015 – 5 security vulnerabilities that have researchers worried
There is no single theme that stands out at Black Hat - it's more a case that everything is going to hell in a handcart. But the quality has risen over time. Here we pick on a few of the important presentations.
Malvertising - it's suddenly got a lot bigger
In the space of barely a year malicious advertising (malvertising) has grown from an interesting tactic employed by cybercriminals into the most important way to distribute malware. The world has yet to catch up with this change despite numerous warnings about its effectiveness.
According to a presentation by security firm RiskIQ, which monitors two billion publisher pages and 10 million mobile apps each day, the volume has jumped by 260 percent in a year with fake Flash updates now the most common lure. The firm blames the rise of 'programmatic advertising', the way that ad traffic is now being managed by machine-to-machine technology that offers numerous places for malvertising to hide, spread and thrive.
This obviously presents a major headache for enterprises and consumers alike, neither of which expect to encounter malicious code inside or being served from what might otherwise be the legitimate ads that fuel the Internet.
"The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware," said RiskIQ co-founder and CEO, Elias Manousos.
"Malvertisements are difficult detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users."
Android - a tale of two flaws
This was without doubt the most significant Black Hat show for Android, an operating system whose flaws are starting to come to light at an alarming rate. The biggest of these was something called Stagefright, discovered by a small outfit called Zimperium, coining a flaw nickname that caught the right mood or alarm.
Techworld has covered the Stagefright flaw in some depth elsewhere but the fact that almost the entire Android user base was vulnerable to something that could be exploited with almost no complexity grabbed the attention. Patches have been issued although they will take time to reach handsets until which the best advice is to turn off MMS auto-retrieve.
Close on its heels came a second less alarming but in some ways more complex flaw from Check Point called 'Certifi-gate'. The issue with this one is that it could be much harder to fix because it exists in remote support plugins used by many smartphone makers and carriers.
Border Gateway Protocol (BGP) - more attention neededBGP is one of those things engineers pay attention to. As one of the core protocols on which the Internet operates, BGP matters because it is used by routers to keep each other informed of router peering - without that the Internet would have no resilience, indeed arguably would cease to be the Internet.
Considered resilient and secure, it wouldn't take much for an incident to cause big problems. Indeed, there have been a small number of infamous examples where things went awry, including the Pakistani Government attempting to block YouTube by interfering with BGP tables in 2008 and a Chinese ISP that in 2010 accidentally started propagating 3,700 routes they had no rights to.
There are some opportunities for attacks on this infrastructure but another big issues, according to a presentation by Wim Remes of Rapid7 is simply that analysis of misconfigurations is currently poor. Oversight is there but with the Internet of Things upon us, it needs to shape up and rapidly, possibly using development such as Resource Public Key Infrastructure (RPKI).
Man in the Cloud - the invisible attackResearch by Imperva underlined how cybercriminals are using synchronization services such as GoogleDrive, Box, OneDrive and DropBox as infrastructure for an emerging type of attack that requires little attack code and that can't currently be detected by endpoint security systems.
Imperva's discovery is that these services are designed in such a way that while the account credentials can't be hijacked, the tokens used by them are highly vulnerable to interception in ways that allow attackers to compromise files traversing the services. Since enterprises allow these services, and see them as secure, the risk is that they will be targeted. The services can also therefore act as channels to remove data without that being detectable, and for command & control.
Blue Coat systems reported on an attack in late 2014 that appeared to be based on the same principle.
Windows Server Update Services Vulnerability - hijacking trust
A presentation by UK-based Context Information Security covered the surprising vulnerability of Windows Server Update Services (WSUS) which they found allows a user with low privileges to install software as if they were genuine parts of the Windows Update process on internal networks. The flaw is only present where firms are not using SSL, and resort to plain HTTP but it turns out that is the default.
"During the update process, signed and verified update packages are downloaded and installed to the system. By repurposing existing Microsoft-signed binaries, we were able demonstrate that an attacker can inject malicious updates in order to execute arbitrary commands," said the researchers.
Enterprises were advised to check the registry keys settings in the WSUS group policy settings - any Windows PC not using https is vulnerable.